From ${URL} : When basic HTTP authentication base64 string does not contain colon character (or contains it after NULL byte - can be inserted inside base64 encoding), then that situation is logged with a string ": is missing in " and the simply decoded base64 string. This means that new lines, NULL byte and everything else can be encoded with base64 and are then inserted to logs as they are after decoding. For example header "Authorization: Basic dGVzdAAKMjEwMC0wMS0wMSAwMDowMDowMDogKG1hZ2ljLmMuODU5KSBJVCdTIFRIRSBFTkQgT0YgVEhFIFdPUkxEIQ==" results in two log lines: " 2015-05-14 12:55:54: (http_auth.c.859) : is missing in test 2100-01-01 00:00:00: (magic.c.859) IT'S THE END OF THE WORLD " Upstream issue: http://redmine.lighttpd.net/issues/2646 External References: http://jaanuskp.blogspot.com/2015/05/cve-2015-3200.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2015-3200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3200): mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.
Fixed in 1.4.36 - http://www.lighttpd.net/2015/7/26/1.4.36/
1.4.37-r1 is in the tree. Are we ready for stabilization?
There are various bugs holding up the last few versions of lighttpd. I've spoken with upstream and they're aiming for 1.4.42 to be a more-stable release, due some time in October. Most of the existing bugs (including this one) are fixed by 1.4.40 and 1.4.41, but both have known issues. I will include a live ebuild as a temporary solution for users (and to facilitate development on lighttpd itself), but currently no newer ebuilds are suitable for stable and I think we'd be doing our users a disservice by replacing one buggy version with another.
lighttpd-1.4.42 recently hit our git tree. I'm hoping it's solid enough for a stable candidate so we can put this bug behind us. It appears this bug has been fixed upstream for a while, but 1.4.42 is the first version since 1.4.35 so far that has a chance at meeting our stability criteria. Please test 1.4.42 and confirm this particular bug is fixed. I'm adding the InVCS keyword so we know it's on track to stabilize.
Like comment #2 said this was already fixed by upstream in v1.4.36. It hits our repository with v1.4.37 via https://gitweb.gentoo.org/repo/gentoo.git/commit/www-servers/lighttpd?id=631ae96fe8a9914dae5f67b43030dafd15e3c6e4 @ Maintainer(s): So yes, =www-servers/lighttpd-1.4.42 is a stable candidate. Can we start stabilization?
(In reply to Thomas Deutschmann from comment #6) > Like comment #2 said this was already fixed by upstream in v1.4.36. It hits > our repository with v1.4.37 via > https://gitweb.gentoo.org/repo/gentoo.git/commit/www-servers/ > lighttpd?id=631ae96fe8a9914dae5f67b43030dafd15e3c6e4 > > > @ Maintainer(s): So yes, =www-servers/lighttpd-1.4.42 is a stable candidate. > Can we start stabilization? Based on what I've found in Bugzilla, most open bugs are IN_PROGRESS waiting for stabilization to get properly closed. I see no open bugs for 1.4.42, so I'll get the stabilization bug started.
My mistake; I wasn't aware we generally do stabilization inside CVE bugs. Disregard my prior comment. I recommend www-servers/lighttpd-1.4.42 for stabilization.
(In reply to Daniel Campbell from comment #8) > My mistake; I wasn't aware we generally do stabilization inside CVE bugs. > Disregard my prior comment. I recommend www-servers/lighttpd-1.4.42 for > stabilization. Daniel, as maintainer you can call for stable once the whiteboard has "stable?" or you have committed the new ebuild. @arches, please stabilize: =www-servers/lighttpd-1.4.42
amd64 stable
x86 stable
*** Bug 604410 has been marked as a duplicate of this bug. ***
ppc stable
ia64 stable
sparc stable
ppc64 stable
arm stable
Stable for HPPA.
GLSA Vote: No @ Maintainer(s): Please cleanup and drop at least <www-servers/lighttpd-1.4.37!
commit c38a32ae672f32fc1e8d305d9f8204cc40be75a5 Author: Daniel Campbell <zlg@gentoo.org> Date: Mon Jan 30 05:09:43 2017 -0800 www-servers/lighttpd: Cleanup old <1.4.42 Package-Manager: Portage-2.3.3, Repoman-2.3.1
All done, repository is clean.